Valve confirms indications from earlier this week that the downtime on the Steam Users' Forums was the result of a break-in, revealing that the Steam service itself also suffered an intrusion. Here is a message from Valve's Gabe Newell explaining the situation:

Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn't be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

It's already gone down many times over the years, removing your access to the games you paid for. It'll happen again, we're just talking about when and for how long. While a month or more of downtime may be unlikely, the same was said about PSN and Steam getting hacked at all.

saluk wrote on Nov 11, 2011, 16:22:The problem with the sony hack was people were locked out for months with no functionality, on top of all the privacy/identity issues.

Well, that could happen with Steam also. It's why I don't want any game I buy to be dependent on Steam. Optionally, Steam is fine, but it should never be required for any game. A game should be able to function entirely independently of Steam and only use Steam features optionally.

I think the response and the protections valve employed (password hashes, encryption, steamguard) are about the best we can hope for in a hack like this. I really hope they get to the bottom of this soon. The problem with the sony hack was people were locked out for months with no functionality, on top of all the privacy/identity issues.

CJ, I believe he meant the Steam client has been just fine for a while now, NOT since the beginning. Just about everyone knows the great big STEAMing pile of shit Steam was at launch; but those problems have been long gone.

“The greatness of a nation and its moral progress can be judged by the way its animals are treated.” - Mahatma Gandhi

CJ_Parker wrote on Nov 10, 2011, 21:40:Say what? Granted... things have improved a lot and Steam has come a long way but let's not forget the very past you mentioned. And in that regard what do you mean with "respect"? You mean "respect" as in forcing a sluggish, buggy, unstable, unresponsive, plain fucking annoying, intrusive piece of shit client down our collective throats? Yeah. That's some really great 'spect they showed us right there. I'm still in awe. No, really. I am .

Say what? The steam client is and has been just fine. It brings a lot more convenience to the table then it does inconvenience.

If it is sluggish for you, perhaps it is time to upgrade your Mendocino processor to something more modern.

RollinThundr wrote on Nov 10, 2011, 23:01:Regardless is he that wrong? People bitched up a storm about Sony,

Actually yes he is that wrong. Not only was his list of problems with Steam completely and utterly false and 5 years old, Valve has got several systems in place to help provide protection to the end users. The most notable being SteamGuard, another being that Steam, Steam Forums and Steam Support are all separate accounts. As others have already pointed out, the data was well secured.

Furthermore yes, for them or any company to rush to make a statement without any investigation is amateurish. And yes rushing and making incorrect statements can be more damaging, particularly if you understate the problem only for it to turn out to be far worse. The same applied to Sony. However in both of these cases, we did know about the breaches within 48 hours, the companies just did not issue immediate statements.

And I've said it before and I'll say it again. No system is 100% secure. Nothing is secure, not your home, not your car, not your workplace, not the internet, not your banks, nothing. The sooner everyone figures that out, the sooner they will stop making ridiculously stupid comments like some of the ones made here and during the Sony incident.

The primary difference here is as already mentioned, Valve has several public security measures in place (ie: SteamGuard), while mostcompanies do not even provide that.

RollinThundr wrote on Nov 10, 2011, 23:01:Regardless is he that wrong? People bitched up a storm about Sony, yet when it's valve its another case of Oh it's valve, they can do no wrong. The hypocrisy involving certain dev/publishers around here is just comical.

Valve didn't take weeks to disclose it and plenty of people here are not happy with them about this. What more do you want, a Gabe crucifix?

Sony bungled their mishap from start to finish and it's no surprise they were lambasted by both the press and customers.

No a crucifix isn't needed, it wouldn't support his weight anyway. I kid I kid!

Really It's annoying that it happened as I actually use steam, I just tend to notice a trend that certain devs/publishers, though mostly devs tend to get defended quite a bit while others due to past reputation or whatever get shit on for the smallest things.

I'm not the biggest Valve fan but I'm don't have the obsessive hate Riley does either to be honest.

There is no hypocrisy. Sony took forever to respond, then took their servers offline for months, and had to rebuild their entire infrastructure.

Sony was fucking incompetent as hell throughout the whole thing.

No one is invulnerable to hacks. The important thing is how well-secured the data that was stolen is, and how they respond to it. Sony had jack shit security on the stored data - they didn't even fucking salt the passwords, one of the most elementary lessons in security.

RollinThundr wrote on Nov 10, 2011, 23:01:Regardless is he that wrong? People bitched up a storm about Sony, yet when it's valve its another case of Oh it's valve, they can do no wrong. The hypocrisy involving certain dev/publishers around here is just comical.

Valve didn't take weeks to disclose it and plenty of people here are not happy with them about this. What more do you want, a Gabe crucifix?

Sony bungled their mishap from start to finish and it's no surprise they were lambasted by both the press and customers.

Regardless is he that wrong? People bitched up a storm about Sony, yet when it's valve its another case of Oh it's valve, they can do no wrong. The hypocrisy involving certain dev/publishers around here is just comical.

Just like in politics, it's not so much what someone says as why he or she is saying it.

Riley, no matter what name he chooses, has a clear obsessive agenda to verbally lambast Steam and Valve at every possible opportunity. He is an obsessive hate-spindoctor who believes Valve can do nothing right. Riley lacks the ability to objectively view any case concerning Valve or Steam, blinded by his hateful obsession as he is. So any point he makes, regardless of the apparent wisdom behind his words, needs to be viewed through that prism. 'nin' seems pretty sure his anti-Valve crusade has to do with his employment by a rival studio, and I am inclined to agree.

Personally, while disappointed (and truth be told, a tad worried) by thie news of the hack, I'm not all that bent out of shape about it, nor was I with Sony's, because shit happens, and it's impossible to prepare for every contingency. Nothing is asshole-proof because they are always building better assholes.

“The greatness of a nation and its moral progress can be judged by the way its animals are treated.” - Mahatma Gandhi

nin wrote on Nov 10, 2011, 21:21:Assley! I can't believe you took this long to show up! How's things at monolith?

Regardless is he that wrong? People bitched up a storm about Sony, yet when it's valve its another case of Oh it's valve, they can do no wrong. The hypocrisy involving certain dev/publishers around here is just comical.

Mordecai Walfish wrote on Nov 10, 2011, 21:29:Alerting and sending into a fervor millions of customers *IMMEDIATELY* is a short-sighted and amateur response.

hahahaha! So it's better to send them into an even bigger fervor days later after the customers find out that the crooks have had their personal and payment data for days without warning?! You Valve apologists are unbelievable.

If a security breach were ever so severe to warrant this it would entail the developer having a great deal of certainty that crucial personal data is at risk of potentially being decrypted and manipulated.

First, having payment details stolen in a breach is severe especially when it involves tens of millions of customers as it does here. Second, expecting the victim company of the breach to be certain about anything regarding security after a breach has recently occured is laughable. If these hackers had not disfaced the forum website, Valve probably would not have even known about this breach. So, using the victim company's judgment on the severity of breach and the full ramifications of it on customers is simply foolhardy.

Please don't expect such poppycock from Valve. They have shown enough respect for the gamer community in the past

This incident proves that Valve doesn't respect its customers enough to spend sufficient resources to properly protect customers' information or to notify them promptly if their information has been stolen.